Security
Reader small image

You're reading from  ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

Product typeBook
Published inSep 2023
PublisherPackt
ISBN-139781803236902
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Shobhit Mehta
Shobhit Mehta
author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Right arrow

Enterprise Architecture and Information Technology

This chapter marks the beginning of Domain 4: Information Technology and Security for CRISC. This domain represents 22 percent (approximately 33 questions) of the revised CRISC exam. These topics build the foundation of an organization and information technology and are essential to learn and understand not only for the exam but also for building a career in the information security domain. In addition, we will be talking about information technology, information security principles, and data privacy in the following chapters.

The aim of this chapter is to introduce the concept of Enterprise Architecture (EA), the Capability Maturity Model (CMM), and IT operations such as network and technology concepts. Without a thorough understanding of the following topics, it is difficult to rationalize the security controls that should be implemented to secure IT assets including networks, networking devices, firewalls, and cloud resources...

Enterprise architecture

EA is the foundation for running any successful business effectively. A business has many parts, such as people, processes, technology, and data, that work together to produce value for customers, with the goal being customers buying from the business and making it profitable. The purpose of EA is to ensure these parts continue to work together and produce value for the business.

Though the scope of CRISC is limited to technology, it is important to understand the four major domains of EA and then drill into the technology architecture:

  • Business architecture: Business architecture captures how a business operates and defines business processes in the context of the organization. Business architecture defines the role of underlying software architecture to ensure that it doesn’t become obsolete with respect to customer requirements.
  • Application architecture: Applications support businesses. Application architecture defines the software solutions...

The CMM framework

The CMM framework provides a structured approach for assessing and improving the maturity and capability of an organization’s processes. It was developed in 1986 based on a study of data collected from organizations working with the US Department of Defense.

The term maturity refers to the level of formality and optimization of processes, including ad hoc practices, formally defined steps, managed result metrics, and active optimization of these processes. While the CMM was originally developed to improve and objectively assess the ability of government contractors’ software development processes, it can also be applied to other processes. Later, in 2006, the Software Engineering Institute at Carnegie Mellon University enhanced the CMM and developed the Capability Maturity Model Integration (CMMI), which has largely replaced the CMM and addresses its limitations.

The following diagram depicts the five levels of the CMM:

Figure 14.2 – CMM maturity levels
...

Computer networks

The term computer networks refers to interconnected computing devices that can exchange data and resources. Networks are used for almost all modern technology operations. The following list includes some of the different ways in which they can be used:

  • Enabling access to the internet and other applications via a web browser
  • Transferring data between individuals
  • Transferring data between applications
  • Performing data backups
  • Controlling remote equipment
  • Enabling communication

Just like humans need a common language to communicate with each other, networks need a common protocol to communicate with other networking devices. There are two main models to facilitate this communication:

  • TCP/IP model: Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols used to connect devices to the internet. TCP/IP is a layered protocol, with each layer responsible for specific functions in the communication...

Networking devices

Networking devices are physical equipment that allow hardware devices to communicate and interact with other computer networks. The following is a brief summary of different types of networking devices:

  • Repeater: A repeater is a two-port (input port and output port) device that regenerates the signal over a network before it becomes weak or gets damaged.
  • Bridge: A bridge is also a two-port device that joins two networks.
  • Switch: A switch is a multi-port bridge that provides dedicated pathways based on MAC address association.
  • Router: A router connects multiple switches and networks to form a larger network by identifying IP addresses.
  • Gateway: A gateway connects different protocols and networks.

The following table details the functioning of each networking device and its corresponding OSI layer:

...

Firewalls

A firewall is a network security device that monitors both incoming and outgoing network traffic and either permits or prohibits specific traffic based on predefined security rules. A firewall can be a physical device (hardware) or software. The following is a summary of different types of firewalls that can be installed as hardware or software:

  • Packet filtering firewall: These firewalls compare each packet to established criteria and allow/deny packet traffic based on predefined rules. These firewalls work on Layer 3 (the network layer) of the OSI model.
  • Circuit-level gateway firewall: These firewalls monitor TCP handshakes and established sessions to determine the legitimacy of the traffic. These firewalls work on Layer 5 (the session layer) of the OSI model.
  • Application-level gateway firewall: These firewalls provide the most secure connectivity as they examine each layer of communication. These firewalls work on the application layer (Layer 7) of the OSI...

Intrusion detection and prevention systems

The purpose of firewalls is to allow legitimate traffic and block malicious traffic. However, an intrusion system is required in the event that malicious traffic is not blocked by the firewalls. There are two forms of intrusion systems:

  • Intrusion Detection System (IDS): An IDS detects potential malicious traffic but doesn’t block the traffic. Whenever an IDS detects malicious traffic, it sends an alert to the respective teams to investigate the alert. Therefore, it’s critical to fine-tune the IDS rules for appropriate thresholds so those teams don’t get slammed with thousands of false positive alerts. IDSs are passive systems and only observe the network traffic, hence they do not have any effect on the network throughput.
  • Intrusion Prevention System (IPS): An IPS detects and blocks malicious traffic. An IPS is required to be implemented in the line of traffic so it can prevent traffic from entering the network...

The Domain Name System

The DNS is a critical component of the internet that acts as a directory for internet domain names and their corresponding IP addresses. Essentially, it acts as a telephone book for the internet, allowing you to associate a memorable and recognizable domain name (for example, www.grcmusings.com) with a series of numbers that make up the IP address (for example, 162.241.252.221).

When you type a URL or domain name into your web browser, your computer sends a request to a DNS server to convert the domain name into an IP address. The DNS server then returns the IP address for the domain name, which the browser uses to connect to the website’s server and display the website’s content.

For example, if you type www.grcmusings.com into your web browser, the DNS server will translate the domain name into 162.241.252.221, which is the GRCMusings site’s IP address. The browser then uses this IP address to connect to the website’s server...

Wireless networks

Wireless networks or Wi-Fi networks are computer networks that use wireless communication to transmit data between devices. Unlike traditional wired networks that use cables to connect devices, wireless networks use radio waves to transmit data over the air. This allows devices such as laptops, smartphones, tablets, and other Wi-Fi-enabled devices to connect to the internet and exchange data without the need for physical cables.

Wireless networks are typically created using a wireless router, which acts as a central hub for transmitting and receiving data. Wireless networks are also subject to certain security risks, such as hacking and unauthorized access or installation of a rogue access point that creates a wireless network (wireless access point, or WAP). To protect against these risks, it is important for the risk manager to secure the wireless network with strong encryption, such as WPA2, and frequently train employees on using secure networks while accessing...

Virtual private networks

Imagine that you have a corporate device that you want to connect to a private network, such as your workplace network. Without a Virtual Private Network (VPN), you would need to physically connect to that network, either by being on-site or using a remote access tool that connects you to the network. This can be performed remotely with the help of a VPN. A VPN allows us to create a secure, encrypted tunnel over a less secure network, such as the public internet. The purpose of a VPN is to provide a way to connect to a private network, such as a workplace network, from a remote location. This is particularly useful for employees who work from home or while traveling and need to access sensitive company data without compromising the security of the data.

When you connect to a VPN, the device first establishes an encrypted connection to the VPN server that can be located anywhere in the world. Once this connection is established, the device then uses the VPN...

Cloud computing

Cloud computing enables users to access computing resources managed by a third party over the internet. It provides a scalable and flexible infrastructure for deploying and managing a wide range of applications and services without the need for on-premises hardware and infrastructure.

At the core of cloud computing is the concept of virtualization. Virtualization allows multiple users to share the same physical resources, such as servers, compute, network, and storage, by creating virtual machines or containers. This enables cloud providers to deliver computing resources on demand, and users to access these resources from anywhere with an internet connection.

Now, let’s briefly look at the various cloud computing service models in the upcoming sections.

Cloud computing service models

Cloud computing primarily provides three service models that organizations can avail per their requirements:

  • Infrastructure as a Service (IaaS): IaaS provides...

Summary

At the beginning of this chapter, we learned about EA, CMM, and the importance of each for maturing the organization’s EA and measuring the maturity of implemented processes and systems. After that, we looked at the components of technology architecture, such as networks, networking devices, wireless networks, firewalls, IPSs/IDSs, DNS, wireless networks, and VPNs, and their relevance as a backbone for building an IT operations center. Finally, we learned about cloud computing, cloud computing deployment models, and security considerations for implementing cloud computing.

In the next chapter, we will learn about enterprise resiliency and data life cycle management.

Review questions

  1. Networking devices, storage, and software are components of:
    1. Business architecture
    2. Technology architecture
    3. Data architecture
    4. Application architecture
  2. Which of the following is not a property of the Defined process of the Capability Maturity Model?
    1. Well characterized and understood
    2. Defined at the organizational level
    3. Proactive
    4. Unpredictable
  3. Which of the following is Layer 3 of the TCP/IP model?
    1. Physical
    2. Data link
    3. Network
    4. Application
  4. Which of the following is Layer 5 of the OSI model?
    1. Physical
    2. Application
    3. Session
    4. Transport
  5. Which of the following technologies provides a secure tunnel to log in remotely to a corporate network?
    1. Intrusion Detection System
    2. Intrusion Prevention System
    3. Virtual Private Network
    4. Domain Network System
  6. Which of the following protocols is used to implement a VPN?
    1. DNS
    2. IPSec
    3. SSL
    4. SSO
  7. Which of the following is an example of on-demand compute, network, and storage computing services?
    1. Platform as a Service (PaaS)
    2. Software as a Service (SaaS)
    3. Infrastructure...

Answers

The following are the answers to the questions in the previous section:

  1. B. The components mentioned in the question are an example of technology architecture.
  2. D. Unpredictable is not a property of the Defined process.
  3. C. The network layer is Layer 3 of the TCP/IP model.
  4. C. The session layer is Layer 5 of the OSI model.
  5. C. A VPN creates a tunnel between unprotected networks and the corporate network to enable secure access.
  6. B. The IPSec protocol enables VPN implementation.
  7. C. On-demand compute, network, and storage computing services are an example of IaaS.
  8. B. An online video game platform that lets users play games without installing any software is an example of SaaS.
  9. B. Computing resources are not shared with other customers in a private deployment model.
  10. C. A community cloud deployment model lets similar organizations share the underlying cloud resources.
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 20 of 28
Next Chapter
You have been reading a chapter from
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Published in: Sep 2023Publisher: PacktISBN-13: 9781803236902
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Shobhit Mehta

Shobhit Mehta is the Security and Compliance Director at Headspace, an on-demand mental health company in San Francisco, CA. Previously, he worked in different facets of security and assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal, and Fidelity Investments. He also works with ISACA to develop exam questions for CISA, CISM, and CGEIT, served as the technical reviewer for the CGEIT and CISA review manuals, and is a published author for the COBIT 5 journal. He completed his MS in cybersecurity at Northeastern University, Boston, and holds CRISC, CISM, CISA, CGEIT, CISSP, and CCSP certifications. In his spare time, he likes to explore the inclined trails of the Bay Area, complete ultramarathons, and blog on GRCMusings.
Read more about Shobhit Mehta

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages

Networking Device

Operates on (OSI Model Layer)